httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: authz / authn and mod_auth_ldap
Date Fri, 17 Jan 2003 15:23:06 GMT
+1 for splitting auth_ldap into authz/authn. We will be releasing our
mod_edir module that provides an alternative authorization service for
auth_ldap.  It relies on mod_auth_ldap for authentication and then
enforces access control through mod_edir.  It it currently implemented
by adding an "edir-user" option in place of "valid-user" to the requires
directive.  Splitting auth_ldap into authz/authn would allow us to
completely replace the authorization services with eDirectory.  


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

>>> jerenkrantz@apache.org Friday, January 17, 2003 2:02:17 AM >>>
--On Friday, January 17, 2003 9:59 AM +0200 Graham Leggett 
<minfrin@sharp.fm> wrote:

> If I were to change mod_auth_ldap to use the new authz/authn system
> in v2.1, I have to split mod_auth_ldap into mod_authn_ldap (the
> is-password-correct part) and mod_authz_ldap (group-membership
> part). Am I correct?

No, you don't *have* to split them into different modules.  One 
module could register for both authn/authz providers.  The only 
reason we split was because their wasn't a lot of shared code between 
the other auth modules.  I think mod_auth_ldap has a lot of shared 
code in its authn/authz split.  Perhaps a mod_auth_ldap core module 
that exports the basic LDAP functionality, then a mod_authn_ldap and 
mod_authz_ldap module that does the direct auth code?  I dunno.  -- 
justin

Mime
View raw message